A user desirous of using two computers which are part of independent domains has in most cases in the past, used them separately by having to use one set of monitor 4, keyboard 6 and pointing device 5 (such as a mouse for each computer 2 (see FIGS. 1 and 2 and the respective discussion later in the specification).
A multi-level secure user interface is a system, method or device that facilitates access to multiple independent computer domains (e.g., independent physical computers, or independent computer networks) from a single user interface.
The security of a multi-level secure user interface is an issue which is sometimes underestimated or dismissed in favour of the convenience and efficiency of a user being able to view all the domains at the same time and to achieve this convenience a user can use a switching arrangement to allow the user to use the same peripheral inputs such as keyboard and pointing device while using a single monitor to view and enable interaction with all the available domains. This arrangement is however often not intended to keep the domains isolated from one another. This can be a serious issue if the domains are independent and isolated fix a reason.
One prior arrangement for providing this functionality is to provide a Keyboard Video Mouse (KVM) switch 33 that is configured to connect a single keyboard 6, monitor 4, and pointing device 5 such as a mouse to a selected computer of multiple computers 2a 2b that may be part of respective separate domains (see FIG. 3 and respective discussion later in the specification). The KVM switch 33 permits sending keyboard signals to one computer and displaying the video from that same computer while also sending mouse generated signals to the selected computer which are then transformed into the cursor movements displayed on the single monitor 4. It is also possible in some KVM switches for the selected computer to be viewed and accessed but still allow the single monitor to view the output from another of the computers.
There is a possibility that data from one domain can be surreptitiously sent to another domain due to hardware and software elements in the switch and/or there is also a possibility that without adequate electromagnetic isolation, data passing through one switch circuit can be detected by unused portions of the switch circuit still connected to a host computer and then leaked to another domain. There are multiple further ways in which data can be collected and sent to another domain without the knowledge of the user.
A Secured KVM, such as those depicted in FIGS. 4 and 5 and in U.S. Pat. No. 8,769,172 physically enforces unidirectional flows between the keyboard 6 and mouse 5 and any one of a number of attached host computers 2a 2b thereby preventing data leakage between domains. The components controlling the switching of the keyboard and mouse input to the correct host computer and the components enforcing the unidirectional data flow are trusted and designed to some extent to be trustworthy. The prior art as depicted in FIG. 1 also displays a prior art secured KVM. The Secured KVM presents the Graphical User Interface (GUI), or video display output from each of host computer in a number of manners. A first manner is where the host computer currently connected to the keyboard and mouse has its video output consume the whole display (a dominant fashion), a second and third manner allow the video outputs from the separate domains to be either tiled, or cascaded on the screen. In these manners interacting with each domain occurs through a separate GUI presented on the screen (either dominantly, or in a tiled, or cascaded fashion). A user can select which GUI to interact with using the pointing device, however interaction is strictly with one domain at a time. FIG. 6 depicts a yet further representation of the display provided by a prior art arrangement where the individual windows are displayed separately.
Existing arrangements deal with the problem of an efficient and convenient multi-level secure user interface. These implementations use a system which virtualises access to desktops. Examples of such systems include: AFRL's SecureView that runs multiple environments in logically isolated Virtual Machines (VMs) and provides secure software based compositing of different level windows; C4 Systems TVE, which runs multiple VMs the same computer and allows access to all the VMs through the same desktop, a slightly coarser granularity than SecureView; and Raytheon's Trusted Thin Client which utilises a customised Centos operating environment to support the delivery of remote desktops front multiple domains, across a single wire that connects back to a distribution console.
The described solutions provide a software-based interface. Increasingly the trusted element in these solutions is a hypervisor, e.g. Xen, a medium sized kernel of code that executes below the operating system and can be used to support virtualised domains. Often a small secure domain will contain additional code to further support the multi-level secure solution functionality. Some examples include Qubes OS, TrustGraph, and the previously mentioned SecureView. In mobile environments, hypervisors are being employed in a more simplistic manner to protect subsets of functionality, in this instance, just ensuring certain portions of a display are quarantined for use by a certain domain.
The described solutions all have a software trusted computing base and also assume for a large part that the underlying hardware mechanisms can be utilised and are also unconditionally trusted. Three issues with the software trusted computing base arise: one, the size of the code is often too large and unwieldy to formally reason about and hence guarantee its trustworthiness; two, the software is vulnerable to many different, well known attacks. This results in the software being utilised to enable data leakage between otherwise isolated domains; and three, the software-based solutions do not maintain physical isolation between independent domains, relying solely on a logical separation, enforced by the software. Even in the case where the software components perform flawlessly a fault in underlying hardware opens the opportunity for inadvertent release of sensitive data between isolated domains.
Operation of more than one domain from a single monitor in an arrangement which integrates and unifies multiple desktop elements from different domains into a single user interface using a single keyboard and single pointing device is very desirable for convenience and efficiency reasons but heretofore not readily possible while maintaining both a high level of isolation and security.